Table of Contents

Search

  1. Preface
  2. Introduction to PowerExchange
  3. DBMOVER Configuration File
  4. Netport Jobs
  5. PowerExchange Message Logs and Destination Overrides
  6. SMF Statistics Logging and Reporting
  7. PowerExchange Security
  8. Secure Sockets Layer Support
  9. PowerExchange Alternative Network Security
  10. PowerExchange Nonrelational SQL
  11. PowerExchange Globalization
  12. Using the PowerExchange ODBC Drivers
  13. PowerExchange Datatypes and Conversion Matrix
  14. Appendix A: DTL__CAPXTIMESTAMP Time Stamps
  15. Appendix B: PowerExchange Glossary

Customizing the DBMOVER Configuration File on the SSL Client

Customizing the DBMOVER Configuration File on the SSL Client

Customize the DBMOVER configuration file on the SSL client for SSL communication.
NODE Statement
The NODE statement specifies the server that you want to connect to in SSL mode.
NODE=(
server_listener
,TCPIP,
remote_host
,
port_number
,,,16384,16384,,{SSL|ZOSSSL})
Use the SSL parameter to access a Linux, UNIX, or Windows system.
For good performance, it is important that the packet sizes specified in comma positions 7 and 8 of the NODE statement do not exceed 16384.
Use the ZOSSSL parameter to access a z/OS system. However, use the SSL parameter, instead of the ZOSSSL parameter, if PTFs UK26131 (z/OS 1.8) or UK26132 (z/OS 1.9) have been installed on the z/OS machine. These PTFs rectify APAR PK46403.
To avoid command failure, maintain the relative position of the SSL or ZOSSSL parameter. Five empty parameters appear between the port number parameter and the SSL or ZOSSSL parameter.
SSL Statement
The SSL statement specifies the SSL key, pass phrase, and Certificate Authority list (CALIST) that you are using to make the SSL connection. For example:
SSL=(EPASS=
encrypted_passphrase
,KEY=
personalkey
.pem,CALIST=root.pem)
You can replace CALIST with CAPATH. For example:
SSL=(PASS=client,KEY=client.pem,CAPATH=/pwx/certs/)
To optimize performance, specify the location of multiple certificates with CAPATH.
Use CAPATH to specify the trusted CA directory of the OpenSSL installation on Linux or UNIX.
Use CAPATH to specify the ‘certs’ directory of the OpenSSL installation on Windows.
Authentication Statements
The SSL_REQ_SRVR_CERT statement in the DBMOVER file of the SSL client determines whether the client performs server authentication. When you configure an SSL client to perform server authentication, the client checks that the personal certificate of the server is in-date and signed by a Certificate Authority in the CA list of the client.
Use the following syntax:
SSL_REQ_SRVR_CERT={
N
|Y}
When the client authenticates server certificates, the SSL_ALLOW_SELFSIGNED statement specifies whether a self-signed certificate is sufficient to authenticate the server. Use the following syntax:
SSL_ALLOW_SELFSIGNED={
N
|Y}
If you configure the client to perform authentication of server certificates, you must make the CA certificates available to the client. Perform the following actions:
  • Copy the certificates to the client machine.
  • Install the certificates using the appropriate steps for the operating system. Refer to the documentation for the client operating system for information about installing certificates.
  • In the DBMOVER file, update the CALIST or CAPATH parameter of the SSL statement to point to the CA certificates on the client.